# Let an agent investigate an event Canonical: https://docs.flowrelay.app/use-cases/agent-assisted-operations/ Markdown: https://docs.flowrelay.app/use-cases/agent-assisted-operations.md Use this path when a merchant wants an authorized agent to help answer what happened to an event without receiving broad store authority or private raw data. ## Investigation job An authorized agent can identify the endpoint, read the receipt, explain the current outcome, and suggest the next safe step from FlowRelay facts. ## Recovery job When the grant allows it, the agent can prepare governed replay or diagnostics actions. Execution still follows preview, explicit confirmation, idempotency, and audit. ## Hard boundaries Agents cannot self-escalate, approve billing, mint or widen their own grants, access raw secrets or payloads, submit support outside scoped FlowRelay support paths, or edit Shopify Flow without separate Shopify authorization. ## Typical path A typical path starts from the scenario, then moves into setup and verification. 1. Create or inspect the merchant-authorized grant and confirm the agent has only the scopes needed for investigation. 2. Have the agent start from /llms.txt, the relevant Markdown page, and /agent/v1/manifest before making authenticated calls. 3. Let the agent read setup state, event history, receipt facts, replay availability, and diagnostics state through the same Agent Operations contract. 4. Require action intents for side-effecting work, including replay preview, confirmation, idempotency, metering, and audit. 5. Escalate to a human for billing approval, grant changes, Shopify Flow workflow edits, secrets, raw data, support requests, or anything outside the grant. ## Related - [Agent Access](https://docs.flowrelay.app/agent-access.md) - [Agent orientation](https://docs.flowrelay.app/agent-access/agent-orientation.md) - [API Reference](https://docs.flowrelay.app/reference/api.md) ## Safety Boundary Do not include raw payloads, endpoint secrets, auth headers, HMAC values, Shopify tokens, Shopify sessions, database URLs, customer data, merchant incidents, or copied private logs in public examples.